Add signing for cert-manager artifacts

[SgtCoDFish]

Overview

Supply chain security is a popular topic in infosec at the moment, largely because of several high-profile incidents using supply chain attacks. The issue is getting worse, too; as software becomes more complex and proliferates in the cloud, the supply chain also becomes more distributed and introduces several new points of trust, including in programming language package managers, operating system package managers, software platforms such as Kubernetes and the software itself being developed.

Signing is one of the answers for combating supply chain attacks. Assuming that private keys are kept private to the software producer and that trust of the signing keys can be established ahead of time for the client, signing allows a client to assert that the software it received was packaged by the organization owning the signing keys and wasn’t tampered with.

We'd like to add this functionality to at least some of the cert-manager artifacts, possibly expanding the list of signed artifacts in the future to include more.

See also the project spec and the technical spec.

What to Sign?

To start, we'd like to add signing for:

• Helm charts, which we believe to be a popular way of installing cert-manager and for which an easy verification process already exists (via the helm CLI)
• Container images, which all cert-manager installations use and which the Sigstore project's cosign tool makes simple.

To ensure that nobody can access the private key of the signing keypair, we'll use KMS to store the key, and all signing operations will go through that key.

Pull Requests and Work

• Import resources using terraform, store state in a shared area for maintainers and add terraform specs to a shared github repo
• Re-enable container signing and bump cosign version release#71 - re-enable pushing sigs in cmrel (possible now quay.io supports this)
• Add notes about container signing now it's enabled again website#882 - re-add container signature docs to website
• Add kms/pgp bootstrapping commands for signing release#48 - enables the exporting of KMS public keys without requiring any user to have access to the key directly. Also bootstraps PGP identity for use with helm
• Add support for signing helm charts and bundled manifests  release#49 - enables signing helm charts by using a shim to treat KMS as a PGP key
• Add standalone signing commands  release#53 - adds "emergency" manual signing commands to cmrel
• Add docs (+ keys!) for code signing website#699 - document signing + keys on website
• Allow running actions for publishing separate artifacts independently release#54 - Allow running each publish step in isolation (helps with testing container signing + helps with release-process resilience later)
• Allow specifying manual arch/os combinations when staging release#56 - Allow specifying manual arch/os combinations (helps with testing helm chart signing locally)
• Add script for generating a GPG keyring from an armored key release#52 - Adds a script to help with PGP bootstrapping actions (useful for creating docs + downloadable keys for website)
• Add container signing during publish release#58 - adds container signing as part of a publish
• Add default KMS where possible, and pass keys in gcb publish job release#59 - fix publish GCB job + QoL improvements
• update jetstack-internal helm chart automation to add artifacthub signKey annotation
• Move cert-manager-release infrastructure to CNCF's GCP account release#50 - migrating the cert-manager-release GCP project to the CNCF GCP account (this isn't necessarily fully complete, but it's complete enough for our use cases when it comes to signing)
• Add tgz and .prov file in a single commit to charts repo (closed source) to address possibility of a race condition

Bonus PRs arising from this work:

• Use contexts when shelling out to docker release#57 - Docker contexts (also helps with shelling out to cosign)
• Minor cleanup of gcb stage command release#55 - gcb stage cleanup
• Add flag for manually specifying a hash algo when verifying sigstore/cosign#1071 - A PR against cosign to allow users to verify our container signatures

/kind feature

[SgtCoDFish]

Update 2021-11-23: I still need to do the infrastructure for this, which involves first provisioning a cert-manager-infrastructure account in CNCF's GCP org.

We're also still blocked on actually pushing cosign signatures since quay.io still doesn't support them.

[jetstack-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Send feedback to jetstack.
/lifecycle stale

[jetstack-bot]

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close.
Send feedback to jetstack.
/lifecycle rotten
/remove-lifecycle stale

[SgtCoDFish]

Worth updating again here: I had delayed work on this pending quay.io adding support and softly behind formally moving the cert-manager-release project into the CNCF org.

The org move is now pretty firmly blocked since the person taking care of it has other priorities, but the quay.io support seems to be there. I should revisit this.

[SgtCoDFish]

/remove-lifecycle rotten

[jetstack-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Send feedback to jetstack.
/lifecycle stale

[jetstack-bot]

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close.
Send feedback to jetstack.
/lifecycle rotten
/remove-lifecycle stale

[SgtCoDFish]

/remove-lifecycle rotten

[jetstack-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Send feedback to jetstack.
/lifecycle stale

[joebowbeer]

/remove-lifecycle stale

[SgtCoDFish]

I think this can be closed - IaC would be great for this but there's no resourcing for it and it won't happen any time soon.